Cyber fraud rises 534% as Nigerian banks lose N3.5bn

Nigerian banks lost N3.5 billion between July and September 2020 to fraud-related incidences, representing a 534-percent increase from the same period in 2019, when it was N552 million.

The Nigeria Inter-Bank Settlement System (NIBSS) in its latest Industry Fraud Report found that the highest number of fraudulent cases (35.5% of the total) were committed on the web channel, transactions that are done using a web browser. Transactions done over phones were responsible for a loss of N410 million at 11.7 percent of the entire loss value.

According to the NIBSS, the trend from the beginning of 2020 has been that the web and mobile channels are viable mediums for exponential fraudulent gains.

“There is, therefore, a need for constant and proactive measures around these channels,” the report noted.

The Nigeria Deposit Insurance Commission (NDIC) said in 2018 that Nigerian banks lost over N15.5 billion ($41.6m) to fraud, a massive jump from what the industry recorded in the previous four years. The industry lost the sum of N12.30 billion to various frauds between 2014 and 2017. About 89 percent of all financial services fraud happened through electronic channels while only 11 percent was non-electronic.

Online fraud is a growing concern for investors in financial services. Since the Central Bank of Nigeria (CBN) in 2014 accelerated its effort to deepen cashless transactions, electronic banking fraud has grown. In 2018 alone, the banking system lost about N15.5 billion, and about 60 percent of the fraud originated online due to banks’ growing investment in internet-based and tech-related banking services.

In the NIBSS report, web and mobile also accounted for the most fraud channels in the second quarter of 2020, as both accounted for a combined 71.42 percent even higher than the 68.65 percent recorded in the third quarter of the same year. Fraud volume on mobile in the third quarter dropped by 5 percent when compared to the second quarter of 2020. Overall, fraud volume and value dropped across all channels.

A 2020 research found three dimensions to electronic fraud in Nigeria including internal fraud carried out by banking staff; external fraud carried out by ordinary Nigerians, and collaboration between fraudsters and banking staff.

Internal fraud is considered the biggest problem facing banking institutions with recent research by Temenos putting their influence at 70 percent. The fraud is usually perpetrated by those with the highest levels of access to information technology (IT) systems, such as systems and database administrators. These actors are better placed to commit or facilitate the fraud and they are capable of erasing all evidence of their actions.

“Access is the most important ingredient in any bank fraud and more than anything else this means access to the IT systems that run the bank’s day-to-day operations and enable its customers to manage their accounts,” Bahru Mossa, founder/CEO, Awtar Technologies, wrote in a post. “Gaining uncontrolled access to the bank’s IT systems enables a fraudster to steal or alter sensitive information, execute illicit transactions and remove evidence of their activities. It is, of course, possible for fraudsters to break into a bank’s IT systems from outside if they are able to exploit weaknesses.”

External bank fraud is the risk of unexpected financial, material, or reputational loss as the result of fraudulent activities of persons that are outside the bank. This type of fraud has been on the rise and taking many forms, including identity theft and account takeover; cyber-attack, card not present fraud, and authorised push payment scams.

In the case of Nigerian banks, the NIBSS report found that social engineering accounted for the most technique used in defrauding banks. It was responsible for 11,589 fraud activities.

Social engineering, in the context of security, is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. For instance, instead of trying to find software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.

In the second position is lack of Two Factor Authentication (2FA). 2FA, sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves.

Experts say often some of the fraud activities go undetected because banks are afraid of reputational damage. A public admission that a bank was attacked by cybercriminals could set off panic buttons in customers who may rush to take out their funds.